Re: [rsyslog] Old School Question

Tue, 28 Aug 2012 14:58:58 -0700 

On Tue, 28 Aug 2012, Jacob Steinberger wrote:


Syslog-ng 1.68, rsyslog 3.22.1
I'm in the process of setting up a new environment that's pure rsyslog and something more current than 3.22.1 ... but in the mean time put your old thinking caps back on as I've stumbled into a rather old installation!
Syslog-ng is the current receptor for traffic. I'm forwarding those messages to rsyslog. When rsyslog gets them ... they don't look right. I've tried mucking with templates and regular expressions to reformat the message but that's taking a while and thought there might be an existing solution that I'm missing. 

Rsyslog rawmsg looks like thus:

<133>Aug 28 14:45:41 local/hostnamebob notice syslog[tag]: message

Rsyslog goes further to print out using the traditional templates like thus:
August 28 14:45:41 relayhostname local/hostnamebob notice syslog[tag]: message
Looks like syslog-ng is chaining, rsyslog doesn't like it and thinks its all part of the message. Is there an easy template fix to this? It's been a while since I've been able to work with rsyslog so I feel like I'm missing something quite obvious.
The problem is in the syslogng config. It is not following the syslog standards (the local/ in front of the hostname is illegal per spec, and putting 'notice' between the hostname and the syslogtag is wrong) 

nobody has bothered to write a syslog-ng fixup parser yet

thinking about it, it's not that hard to do
I would make it very similar to the cisconames input module. It would look at the raw message for what should be the beginning of the hostname, check to see if it says "local/" and if so delete that from the message. It would then check the next word to see if it looks like a priority name, and if so delete that. It would then claim to have failed so that the resulting message gets parsed normally.
I'll see about throwing something togeather in the next couple of days (assuming nobody else does anything first :-)
This won't work for the case where syslogng is forwarding messages for other systems (and the chaining that it does there), that would be a separate set of fixups. 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

Reply via email to